back to article This typosquatting attack on npm went undetected for 2 weeks

A two-week-old campaign to steal developers' credentials using malicious code distributed through npm, the Node.js package management registry, has been halted with the removal of 39 malicious npm packages. Developers regularly add these bundles of JavaScript code to Node.js applications to implement common functions, so they …

  1. Anonymous Coward
    Anonymous Coward

    The node package model is horrible. Trivial functions would be better just copied at the start of the project. Letting all these code dependencies dynamically mutate is terrifying, and like building a house on wet sand.

    1. Orv

      This is why I usually pin specific version numbers in node projects. I don't want things updating willy-nilly.

  2. John Smith 19 Gold badge

    Hopefully the account holder is being investigated for this?

    So it's like the update systems that Linux distros use, but anyone can contribute to it?

    What could possibly go wrong with that?

    Obvious question would be did El Reg developers pick up any packages from here?

    TBH I've been finding the site a bit slow and flaky for the last few days.

  3. Alistair

    urrrm -- wait

    *anyone* can push to the package repository.

    from anywhere?

    sooo -- more like a sideload site than a development repository.

    "Hot new programming language acquires shotgun. Removes both feet"

  4. Anonymous Coward
    Anonymous Coward

    Environment variables?

    A well known, easy to inspect, not encrypted, memory of each process used to store sensitive information? Web developers are the peak of naivety.

    1. Anonymous Coward
      Anonymous Coward

      Re: Environment variables?

      Where do you store things like database credentials and API keys?

  5. nagyeger

    npm is security hole...

    This is news?

    I worked /that/ out as soon as my first venture into running a node package - from an apt repo - that looked interesting started downloading unsigned packages without asking me.

    apt-get purge

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020